From: lsi (stuart@cyberdelix.net)
Date: Tue May 18 2004 - 21:58:43 EDT
Firstly, it's evident there's a bunch of potential attacks out there.
In addition to unauthorised usage and replay attacks, multiple people
have pointed out the potential for Denial of Service attacks, against
the card, against the reader, against the user, or against the back-
end database. Some people have also suggested attacks on data
integrity, whereby false data is written back to the tag, in order to
later manipulate the database which stores the altered data; others
have suggested falsifying either the data on the tag, or the tags
themselves, for various purposes.
More comments inline..
> > Let's go back to our hypothetical commuter train for a moment. I think
> > that this would be more valuable in a targeted attack than a general
> > fishing expedition.
>
> Definately. Getting a sweep from an individual will be more useful
> than pinging an entire train (bus, theater, etc.) worth of people.
> Even if you could localize the responses (not a sure thing - signal
> strentgh, as mentioned previously, is not a sure indication of source)
> the sheer volume of information returned would probably make it of
> dubious value in a real-time situation.
My one-word counter to the signal strength issue is: triangulation.
OK, so this requires two readers and a bit of number-crunching. But
depending on the value of the target, this is feasible. This
technique would involve two transceivers pinging the tags
simultaneously, and correlating the returned signal strength and tag
data. It would allow the attackers to build a 3D map of every tag in
range.
Couple this with the Big Database of All RFIDs in the Known Universe,
and you have a device that can instantly identify and geolocate high-
value targets, or targets matching specific criteria.
> > the case, is it not possible to simply transmit a higher
> > power signal, and thus boost the response from the tag to
> > gain more range?
> Higher power, based on what? And what about the nearer RFIDs you cook while
> trying to get enough power to the ones that are further away? And of course
> this assumes that you can get enough gain without overloading all of them
> (or cooking your own gonads).
This attack is not suitable for all scenarios, as you note. However
it would be suitable for a targetted attack on a specific individual,
as the distance between the attacker and the victim could be
controlled by the attacker. The attackers would of course wear foil
underwear.
Some people have questioned whether it's a big deal to be able to
recover tag data. Some tags store more than just ID's, so it's not
as simple as saying 'it's just a number'. But even if it was just a
number. Just one unique number leaking from your person could be
used to track you around the transit system. A whole bunch of them
would let the Watchers know what *mood* you were in! Your particular
combination of RFIDs would make a specific pattern on their screens;
and they could watch it morph, day-to-day, play it back and see when
you bought this, when you stopped wearing that. Maybe nobody cares -
today. What about tomorrow? Maybe it would suit someone to know
where all the DVDs of Michael Moore's latest movie actually
WENT...... Marketers could show you ads targeted at your specific
shoesize. Stores in competition with one another could monitor the
spending habits of people simply walking through their doors - no
need to make a purchase! And if you ever did, well they could match
all that up with your name, if you had one single leaking RFID on you
at the time, that you also had on you when you were there previously.
And this is only for RFIDs in shoes, jeans, etc. The privacy
implications for RFIDs in documents would be far worse. An RFID in a
drivers' license would take all the fun out of matching up
individuals with RFID combinations!
It seems to me that without authentication, these things are at best,
useless, and at worst, an open door for criminal activity.
Stuart
--- Stuart Udall stuart at@cyberdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192.168.0.2)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT